Contents tagged with Security

This is an advance notification of security bulletins that Microsoft is intending to release on May 10, 2011. This bulletin advance notification will be replaced with the May bulletin summary on May 10, 2011.

The following table summarizes the security bulletins for this month in order of severity.

For details on affected software, see the next section, Affected Software.

Posted by sumeethevans on February 4 2011, 5:16 AM.
Posted in Security.

Today, as part of our usual monthly bulletin cadence, we are providing our Advance Notification Service for February's security bulletins. This month, we'll release 12 bulletins, three of them rated Critical and nine rated Important, addressing issues in Microsoft Windows, Internet Explorer, Office, Visual Studio, and IIS. 22 issues will be addressed.

As part of this month's update, we'll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer). Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5.

Posted by sumeethevans on October 8 2010, 9:58 PM.
Posted in Security.

The Microsoft Business Ready Security trial environment provides an end to end trial experience across all of the Business Ready Security solutions. The environment provides an opportunity to evaluate protection, access, management and identity technologies as a pre-configured set of VHDs.

The links in this section correspond to separate files available in this download. Download the files most appropriate for you.

Posted by sumeethevans on October 8 2010, 9:57 PM.
Posted in Security.

We announced back in September that Microsoft Security Essentials would be changing its licensing terms and would soon become available to small business on up to 10 PCs. We are happy to announce that beginning October 7, the change will go into effect and small business owners will be able to download and install Microsoft Security Essentials. This new availability will allow small businesses that operate outside of the home to take advantage of Microsoft’s no-cost antimalware service that will help them save time, save money and remain productive while protecting them from viruses, spyware and other malicious threats. If you operate a small business with more than 10 PCs, we do recommend that you consider using the Forefront line products to address your security needs.

Posted by sumeethevans on September 14 2010, 12:49 AM.
Posted in Security.

Today we're releasing our Advance Notification Service (ANS) for the September Security Bulletins, which are scheduled for release Tuesday, September 14, 2010. This is a service we provide to help enterprises plan and prepare for the upcoming security bulletin release.

This month we will be releasing 9 bulletins addressing 13 11 vulnerabilities affecting Windows, Internet Information Services (IIS), and Microsoft Office. Four of those bulletins carry a Critical rating, with the rest rated Important.

We recommend as always that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Next Wednesday, September 15th, Adrian Stone and Jerry Bryant will host a public webcast during which they'll go into details about the bulletins, and answer questions live on the air. To register for this webcast in advance:

Posted by sumeethevans on August 3 2010, 12:52 AM.
Posted in Security.

As we announced on Friday, today we released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. As our colleagues over in the MMPC have noted, several families of malware have been attempting to attack this vulnerability. The security update protects against attempts to exploit this issue.

For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible.

As we do with every bulletin release, we will be hosting a webcast to address your questions today at 1PM Pacific Time. Register now.

Today we are announcing the beta for the next version of Microsoft Security Essentials. Microsoft Security Essentials was first released in September 2009 and is our award-winning no-cost light weight anti-malware service. It’s designed to help address the ongoing security needs of PCs running genuine Windows – helping keep people protected from viruses, spyware, and other malicious software.

New features in the beta of Microsoft Security Essentials include:

Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off. Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats. New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance. Network inspection system* – Protection against network-based exploits is now built in to Microsoft Security Essentials.

To download the beta of Microsoft Security Essentials, click here to visit the Microsoft Connect page to register for the beta. Once completed – you will find the instructions for downloading and installing the beta.

Vulnerabilities in Windows Could Allow Remote Code Execution (981210) This security update resolves two privately reported vulnerabilities in Windows Authenticode Verification that could allow remote code execution. An attacker who successfully exploited either vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232) This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.

Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) This security update resolves a privately reported vulnerability in Windows Media Services running on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. On Microsoft Windows 2000 Server, Windows Media Services is an optional component and is not installed by default.

Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816) This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file containing an MPEG Layer-3 audio stream. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402) This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683) This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

Vulnerability in VBScript Could Allow Remote Code Execution (981169) This security update resolves a publicly disclosed vulnerability in VBScript on Microsoft Windows that could allow remote code execution. This security update is rated Important for Microsoft Windows 2000, Windows XP, and Windows Server 2003. On Windows Server 2008, Windows Vista, Windows 7, and Windows Server 2008 R2, the vulnerable code is not exploitable, however, as the code is present, this update is provided as a defense-in-depth measure and has no severity rating. The vulnerability could allow remote code execution if a malicious Web site displayed a specially crafted dialog box on a Web page and a user pressed the F1 key, causing the Windows Help System to be started with a Windows Help File provided by the attacker. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160) This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service. By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.

Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) This security update resolves two privately reported vulnerabilities in Microsoft Office Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Windows ISATAP Component Could Allow Spoofing (978338) This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Moderate for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7 and Windows Server 2008 R2 are not vulnerable because these operating systems include the feature deployed by this security update. This vulnerability could allow an attacker to spoof an IPv4 address so that it may bypass filtering devices that rely on the source IPv4 address. The security update addresses the vulnerability by changing the manner in which the Windows TCP/IP stack checks the source IPv6 address in a tunneled ISATAP packet.

Next Tuesday we will release 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office, and Microsoft Exchange. We recommend that customers review the ANS summary page and prepare to test and deploy the bulletins as quickly as possible.

Microsoft would also like to remind you all that it is extremely important for customers to move to supported platforms because after the dates below, those products/service packs will no longer receive security updates.

Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.

Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, we will no longer provide security or any other updates for Windows 2000.

Windows Vista RTM will no longer be supported after the April 13, 2010 bulletin release. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.

MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities.

Note: Internet Explorer 6 and 7 are the only versions affected by the active attacks, why does the Advance Notification page state that Internet Explorer 8 and Windows 7 are affected? To clarify, the Security Advisory was released due to one vulnerability that is under active attack. That vulnerability only affects Internet Explorer 6 and 7. However, the bulletin, MS10-018, that we will release tomorrow, addresses 9 additional vulnerabilities. Some of those also affect Internet Explorer 8. All of the 9 additional vulnerabilities were responsibly disclosed and we are not aware of any active attacks against them.

MSRC Blog: Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.

We recommend that customers review the Advance Notification webpage and prepare to deploy these bulletins as soon as possible. To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.

We’re also continuing to monitor the situation with Security Advisory 981169, the VBScript issue disclosed on Monday. There are no known attacks but we encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.

As always, we will be hosting a public webcast where we will go in to details about the bulletins for March and where customers can ask questions. We will have a room full of engineers on hand to answer those questions live during the webcast. Here are the details:

One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.

We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.